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Abstract 

In this work we present the first passive attack over the SASI lightweight 
authentication protocol with modular rotations. This can be used to fully 
recover the secret ID of the RFID tag, which is the value the protocol 
is designed to conceal. The attack is described initially for recovering 
[log2(96)\ = 6 bits of the secret value ID, a result that by itself allows 
to mount traceability attacks on any given tag. However, the proposed 
scheme can be extended to obtain any amount of bits of the secret ID, 
provided a sufficiently large number of successful consecutive sessions are 
eavesdropped. We also present results on the attack's efficiency, and some 
ideas to secure this version of the SASI protocol. 

Index Terms - Cryptanalysis, RFID, authentication, SASI, protocol. 

1 Introduction 

In 2007 Hung-Yu Chien published a very interesting ultralightweight authen- 
tication protocol providing Strong Authentication and Strong Integrity (SASI) 
for very low-cost RFID tags [T]. 

This was a much needed answer to the increasing need for schemes providing 
such properties in very constrained environments like RFID systems. As the 
previous attempts to design ultralightweight protocols have failed (all proposals 
have been broken), this new scheme was specially interesting. 

As we will see later, the major difference between this proposal and existing 
ones is the inclusion of the rotation operation. There has been, however, some 
confusion over the concrete type of rotation recommended by the author. It is 
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important to note that the way in which rotations should be performed is not 
specified at all in the original paper [1] . So the first researchers to publish some 
weaknesses (two desynchronization attacks) against the protocol [TU] needed 
to contact the author to clarify this issue. After a private communication, 
the author stated that the rotation he intended to use in the protocol was 
Rot(A, B) = A << wt(B), where wt(B) stands for the Hamming weight of 
vector B. 

That turned out to be a wise decision, as if he had decided to use the more 
common rotation definition of Rot(A, B) = A << B mod N, he would have run 
into the attack described in this paper. This latter version of the protocol, with 
a modular rotation instead of a hamming weight rotation, is the one which is 
analyzed in this work. 

The rest of the paper is organized as follows. In the next section we describe 
the SASI protocol, then in Section[3]we introduce our attack. Finally, in Section 
[4] we extract some conclusions that could help in devising new and stronger 
versions of this variant of the SASI protocol. The source code of a very simple 
implementation of the attack can be found in the Appendix. 

2 Description of the SASI Protocol 

The SASI protocol is briefly described in the following, where R represents the 
reader, T represents the tag, IDS stands for an index pseudonym, ID is tag's 
private identifier, Ki represent tag's secret keys and n\ and n 2 are nonces. The 
ID is the most valuable information allowing the unequivocally identification of 
tagged items, a property that is not provided by other consolidated identification 
systems such as barcodes. 

1. R^T : hello 

2. T -> R : IDS 

3. With IDS, the reader finds in the backend database the tag's secret values 
ID, Kx, and K 2 . 

4. R generates nonces n\ and n 2 to construct messages A, B and C as follows 

A = IDS ®Kx®n x 

B = (IDS VK 2 ) + n 2 

C= (Ki® K 2 ) + (K 2 © Kx), where 

Kx = Rot(Kx ® n 2 , Kx) 

K 2 = Rot(K 2 ®nx,K 2 ) 
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where ffi stands for the usual addition modulo 2, + represents addition 
modulo 2 96 , and V is the usual bitwise or operation. 

Finally, the reader sends to the tag the concatenation of A, B and C 
R^T: A\\B\\C 

5. From A and B, respectively, the tag can obtain values ni and n.2- Then, 
it locally computes C and checks if the result of its local computation is 
equal to the sent value. If this were the case, it updates the values of IDS, 
K\ and K 2 in the following manner: 

IDS next = y DS + j D ) e e 
K next = Ki 
R next = R2 

6. T -> R:D with 

D = (K 2 + ID) © ((K 1 © K 2 ) V 

7. i? verifies D and, if it is equal to the result of its local computation, it 
updates IDS, K\ and K 2 just as the tag. 

3 Cryptanalysis of SASI with Modular Rota- 
tions 

Before presenting the cryptanalysis of SASI with modular rotations, we explain 
the background and general assumptions in which the protocol is based. 

3.1 Background 

In 2006, Peris et al. proposed a family of Ultralightweight Mutual Authen- 
tication Protocols (henceforth referred to as the UMAP family of protocols). 
Chronologically, M 2 AP [2] was the first proposal, followed by EMAP [3] and 
LMAP [1] . Although some vulnerabilities were discovered (active attacks [51 |B] 
and later on passive attacks [3 [5]) which rendered those first proposals inse- 
cure, they were an interesting advance in the field of lightweight cryptography 
for low-cost RFID tags. 

The SASI protocol is highly reminiscent of the UMAP family, and more 
concretely, of the LMAP protocol. 

Before the SASI proposal, however, all the messages exchanged over the inse- 
cure radio channel were computed by the composition of very simple operations 
such as addition modulo 2, addition modulo 2 96 , and bitwise operations like OR 
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and AND. This presented a major drawback, as all of these operations are tri- 
angular functions (T-functions) [9]. That is, these functions have the property 
that output bits only depend of the leftmost input bits, instead of all input bits. 
Furthermore, the composition of triangular operations always results in a trian- 
gular function. This undesirable characteristic greatly facilitated the analysis of 
the messages transmitted in the UMAP family of protocols, and thus the work 
of the cryptanalyst. 

The main difference between LMAP and SASI is the inclusion of a non- 
triangular function, such that the composition of all operations would no longer 
be triangular. Specifically, rotation is now included in the set of operations 
supported by the tag, which is reasonable assumption, as it can be performed 
quite efficiently. 

3.2 Analytical Results 

The natural way of attacking this protocol is to consider what happens when 
modular rotations are not performed, that is, when the amount of rotation 
given by the second argument is zero modulo 96. For these cases, the proposed 
protocol uses exactly the same set of operations that lead to the attacks over 
the previous ultra lightweight protocols, that is, no triangular functions. This 
should ease any analysis. Therefore: 

K x = Rot{K x © n 2 , Kx) = Rot{K x © n 2 , K x mod 96) , 

= Rot(Kx © ri2,0) = Kx ®n 2 ^ 

Similarly, 

K 2 = Rot(K 2 © nx, K 2 ) = K 2 ®n x (2) 

This has a particularly nasty impact in the process of index pseudonym 
{IDS) update, since 

IDS next = ( WS + J£) ) e ( na e j^j 

= (IDS + ID) © (ti 2 © Kx © n 2 ) (3) 
= (IDS + ID) © Kx 

So we have that ID — IDS next © K x — IDS and we can take full advantage 
of the knowledge that Kx = K 2 = mod 96 to conclude that, with a probability 
depicted in Table 1, only depending on the value of N (N = 96 in this case, but 
other values could be used for recovering more bits) it holds that 

ID mod 96 « (IDS next - IDS) mod 96 (4) 

As both values IDS next and IDS are public and easily observable by snoop- 
ing at two consecutive authentication sessions, this relation allows us to recover 
the |Jo(72(96)J = 6 less significant bits of the secret ID and, analogously, to 
perform a traceability attack over the . 
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The only question that remains is how to recognize when the conditions 
K\ = mod 96 and K 2 = mod 96 hold simultaneously, since K x and K 2 are 
secrets that only the tag and the reader should know. Fortunately, this is pos- 
sible by checking if certain relations (that only involve public values) hold. 

Let us suppose that K x = K 2 = mod 96 then 

K x = Rot(K x ®n 2 ,K x ) = Rot(K x © n 2 , 0) = K x © n 2 (5) 
K 2 = Rot(K 2 @n x ,K 2 ) = Rot(K 2 © n x , 0) = K 2 © n x (6) 



So 



C = {K X ®K 2 ) + {K 2 ®K X ) 

= K i © K 2 © ni + K 2 © if i © n 2 



which implies that 



C mod 96 = K x © if 2 © n x + K 2 © K x © n 2 mod 96 
w ni + n 2 mod 96. 



(7) 



(8) 



The value of n x + n 2 mod 96 can also be probabilistically obtained from the 
observed values of public messages A, B and IDS because: 

A = IDS ®K x ®n x ^n x = A® IDS © K x (9) 

and then we can get that 



(10) 



m mod 96 = A © IDS © K x mod 96 
« A © IDS' mod 96 

because, by hypothesis, if i = mod 96 

Similarly, we can obtain that, as B = (IDS V K 2 ) + n 2 , then 

u 2 k(B- IDS) mod 96 (11) 

All in all, we can conclude that if K x = K 2 = mod 96 then, with a 
probability given in Table 1 

C mod 96 w n x + n 2 mod 96 , . 

w (A © iDS 1 ) + (B - iDS 1 ) mod 96 ( ' 

so what is only left is to passively snoop multiple authentication sessions and, 
for each one, verify if the above condition holds. If this is the case, one 
should compute the value (IDS next — IDS) mod 96 and from this, approxi- 
mate ID mod 96. 



Only one last tweak is needed to perform a successful attack: Just by chance, 
the above relation will be true even if the two preconditions K x = mod 96 and 
K 2 = mod 96 are not simultaneously true, and this will lead us to a possibly 
wrong estimation for ID mod 96. 
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Table 1: Probabilities of Equations 4, 8, 10, 11 and 12 simultaneously holding 
for different values of N, given that K\ = K 2 = mod N 



N 


2* 


3 ■ 2* 


4-i + 10 


2 -t + 5 


Probability 


1.00 


0.33 


2 -TV- 1 


N- 1 



1. 


For i = to 96 




2. 


06se7"i;ataons[i] = 




3. 


Repeat a sufficiently high number of times N the following 


steps: 


4. 


Observe an authentication session and get IDS, A, B and C 


5. 


Check if for these values it holds that C = (A © IDS) 


F {B - IDS) mod 96 


G. 


If this is not the case, go to step 4. 




7. 


Perform the following tasks: 




8. 


Wait for the authentication session to finish. 




9. 


Send the tag a hello message to obtain IDS next . 




10. 


Compute c = (IDS next - IDS) mod 96 




11. 


Increment Observations[c] 




12. 


Find m, the maximum of the values in Observations[i\. 




13. 


Conjecture that m = ID mod 96. 





Fig. 2. Outline of the attack. 



This is, however, easily fixable by simply observing many values of (IDS nex t — 
IDS) mod 96 when equation (|12|) holds, because the true value of ID mod 96 
will likely be the most common. 

This fact has been experimentally verified and leads to the attack schemat- 
ically described in Fig. 2. 

3.3 Efficiency analysis 

The attack presented could be performed not only for recovering [log 2 (96) J bits 
of the secret value ID, but also works for other modulus, with varying prob- 
abilities as shown in Table 1. In particular, the set of probabilistic equations 
(i.e. equations 4, 8, 10, 11, 12) all hold with probability one for modulus that 
are a power of 2, so this allows for more efficient attacks able of obtaining much 
more bits (i.e. log 2 (256) = 8, log 2 (5l2) = 9, Zo 52 (1024) = 10, etc.) if needed. 
In these cases, we naturally need to observe more authentication sessions for 
recovering more ID bits. 

As a rule of thumb we have concluded, after extensive experimentation, 
that an attacker following this procedure is on average able of recovering the 
[log2(S)\ least significant bits of ID after observing around 9(S) authentication 
sessions. 
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4 Concluding Remarks 



In this article we have presented an attack against a variant of a novel and quite 
interesting ultralightweight authentication protocol. 

We analyze the SASI protocol under the assumption that the most common 
rotation definition (i.e. modular rotation) is employed. This analysis points 
out that the inclusion of the rotation operation (a non-triangular function) is a 
necessary but by itself not sufficient condition to achieve security in lightweight 
protocols. It also highlights the advantages of the hamming rotation over the 
modular rotation here explored, namely that the former is much less likely to 
behave like the identity. This could be a good reason to lead future designers 
of ultralightweight protocols towards a preference for the hamming over the 
modular rotation. 

We have to acknowledge, however, that the proposed attack is not successful 
against the hamming rotation as advocated by the author of the protocol. To 
day, authors do not know any other passive attack against the SASI protocol 
or its modular variant. Active attacks, on the other hand, abound both against 
the hamming and against the modular version of the protocol. First, Sun et al. 
proposed to desynchronization attacks. Then, in [11] it was proposaed a denial- 
of-service and traceability attack. Recently, D'Arco et al. proposed another 
desynchronization attack [12], an identity disclosure attack, and finally a full 
disclosure attack against modular SASI. 

Some different design decisions would, on the other hand, have considerably 
harden our attack, and we will briefly describe then in the following: 

• The IDS updating could be improved as it is dependant of n 2 and K\ 
which is again a function of n 2 . This is instrumental in our attack and, in 
any case, leads to all sorts of bad statistical properties. 

• The definitions of K\ and K 2 should be rethought, as in the current 
way there is a kind of distributive property (K\ = Rot(K\ © n 2l K\) — 
Rot{K\,K\) Rot(n 2 , Ki) ) that could ease attacks. 

This can be avoided by, for example, using addition instead of xor as the 
inner operator, although part of the problem still remains. The ideal solu- 
tion should be to devise a more complex key scheduling, but of course this 
will have an additional cost in terms of gate equivalents and performance. 

• The use of the bitwise OR operation should be performed with extreme 
care, as the resulting messages are strongly biased. 

As an example, in the current protocol definition n 2 could be approxi- 
mated simply by computing n 2 « B — 1. 

Message D suffers from a similar problem. The use of a bitwise AND 
operation would produce similar undesirable effects. Past experience with 
other lightweight protocols has shown that these two operators should only 
be included in the inner parts of the algorithm, and every effort should 
be made to disguise their output into seemingly random output when 
constructing public messages such as B and D. 
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In fact, an even more general version of this attack is possible. This alter- 
native is, on the other hand, significantly less efficient than the attack scheme 
described here. It consists simply in observing and storing the different values 
of equation 4 (regular rotations is assumed again). In a well-designed protocol, 
these should approximately follow a uniform distribution, but we have experi- 
mentally observed that this is far from being the case. Following this extremely 
simple approach, with no approximations nor preconditions, we are able to re- 
cover up to 4 bits of the secret ID after around 2 10 authentication sessions 
with a 100% success probability, a fact that could lead to a very straightforward 
tracking attack. 

Finally, we can conclude that the SASI protocol is indeed an interesting step 
in the right direction towards fully secure ultralightwcight protocols, and that 
the decision about what type of rotations to employ was a correct one because 
if modular rotations were used instead, the resulting protocol will fall short of 
the security requirements typically needed in these schemes. 

Appendix A: Attack's source code 

This is the source code of our attack, implemented in Python 

#Traceability & recovery attack against the Modular SASI 
#Ultralightweight Authentication Protocol 

from random import * 
from scipy import * 

NumExperiments=2**18 

def wt (a) : 
w=0 

while a: 

if a°/„2: w=w+l 

a=a»l 
return w 

def rot (a,b) : 

return ((((a « b) % 2**96) I (a » (96-b)) 7, 2**96)) 7„ 2**96 

def sasiprotocol (L) : 

IDS, SID, Nl, N2, Kl, K2 = L [0] , L[l], L [2] , L [3] , L [4] , L[5] 
A=IDS~K1~N1 

B=((IDS I K2)+ N2) % 2**96 
Klhat=rot(Kl~N2, Kl°/,96) 
K2hat=rot(K2~Nl, K2°/„96) 
C=((Kl~K2hat) + (K2~Klhat)) '/, 2**96 
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D=((K2hat+SID)% 2**96) ~ ( (K1~K2) iKlhat) 
IDSnext=( (IDS+SID)7,2**96) ~ (N2~Klhat) 

= [A%2**96, B7.2**96, C7.2**96, D7.2**96, IDSnext7.2**96 , Klhat 7,2**96, K2hat 7.2**96] 
return 

#The secret value we will try to obtain is I[1]=SID 
I=[] 

for i in range (6) : 
l.append(randint(0, (2**96) -1)) 

#Keep the value of I for the future, so copy it on nl and only manipulate wl 
wl=l 

Dbservations= [] 
for i in range (96): 
Observations . append(O) 
j=0 

for i in range (NumExperiments) : 

D=sasiprotocol(wI) 

#Get IDS 

IDS=wI [0] 

#Get A, B, C 

A=0 [0] 

B=0[1] 

C=0 [2] 

#Check if it holds that C=(A~ IDS) + (B-IDS) 7.96 
if (C7.96==( (A~ IDS) + (B-IDS)) 7.96) : 
j=j + l 

#0btain the value of IDSnext 
IDSnext=D [4] 

#Compute c=(IDSnext-IDS)7.96 

c=( IDSnext -IDS) 7.96 

Observations [c] Observations [c] +1 

#Then, a new protocol session begins 

wl=[0[4] ,wl[l] ,randint(0, (2**96)-l) ,randint(0, (2**96) -1) , [5] ,D[6]] 

#Print Observations & Compute the maximum 
max=0 

for i in range (96): 

print "The value ", i, "has been observed ", Observations [i] , "times" 
if (Observations [i] >max) : 
max=Observations [i] 
maxindex=i 

print "The probability of a useful session is, approx.=l/" ,NumExperiments/j*(l . 0) 
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print "The maximum value, and our guess for SID°/„96 is ", maxindex 
print "The correct value of SID7.96 is ", I[l]%96 

print "The difference between this values is", abs (I [1] °/ 96-maxindex) 
#This difference is always a power of two meaning that 
#the least significant bits of our guess were correct 
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